Tenable CSO praises APT1 report as a standard for information sharing

News by Dan Raywood

The APT1 report has been praised and releasing the indicators of compromise (IOCs) "was a very good thing for all of us".

The APT1 report has been praised and releasing the indicators of compromise (IOCs) "was a very good thing for all of us".

According to a blog post by Tenable Network Security chief security officer Marcus Ranum, the Mandiant APT1 report was a stimulant for worthwhile discussion for the next five years.

“I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing manoeuvre and a bit of business as usual,” he said.

He said that he believed any information and incident sharing is good, and while there is little in the report that can be considered actionable, other than the IOCs, this will help organisations understand that targeted malware attacks are a problem and that it serves to document that attacks are real.

He also said that the most valuable aspect of the report is that this demonstrates that they can happen to anyone, and this will show executive management that "we've always been in the deep end of the swimming pool and that it never was amateur hour".

Despite some criticisms that the report revealed too much information, Ranum said that this was a very good thing. “Since many organisations will now be able to use them to look back into the past and discover things they might have been happier not knowing,” he said.

“The IOCs will provide indisputable data; I've already heard a few security executives ask, ‘if we look for this, and we find something, what does that mean?' What I hope will happen from the APT1 report is we'll get some industry-wide reassessment of the effectiveness of some tools and techniques. It's that kind of information that remains sadly lacking.”

Ranum concluded by saying that the type of information sharing that is needed is around techniques and practices, tied to strong statements about what worked and what does not, specifically from those who were there when it happened

“Until we start talking about that, our learning experiences remain private and much more costly since they will be repeated over and over again. The important point about the IOCs is that they're a measure of how ‘too late' you may be,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews